What Happens When XP Expires?

July 13 is Last Day for Security Updates of Aging Operating System

-Day for Microsoft's aging XP Service Pack 2 operating system is July 13.

After that date, Microsoft says it no longer will update or issue security patches for the six-year-old operating system. For organizations that haven't upgraded to XP Service Pack 3 or migrated to one of Microsoft's newer operating systems, they may face difficult times supporting XP's SP2, security experts warn.

"July 13 will be the last day that XP SP2 will be updated or supported, for that matter," says Dr. Johannes Ullrich, chief research officer at the SANS Institute and CTO of the Internet Storm Center. "If a security problem is found, users may be left without a patch to protect them."

Organizations at Risk

An estimated three out of four companies will face security problems after July 13 because they continue to rely on XP SP2. This number comes from a report published by a technology service provider, Softchoice Corp., a Toronto-based company that surveyed 117 organizations throughout the U.S. and Canada. The results show that 77 percent of the organizations surveyed are running XP SP2 on 10 percent or more of their personal computers. Almost 46 percent of the business computers analyzed in the survey rely on the operating system. On average, 36 percent of the PCs in every organization run SP2, according to Softchoice. "This isn't something a company can safely ignore," says Dean Williams, Softchoice's service development manager.

Microsoft announced the retirement of XP SP2 more than two years ago, in April 2008, and Williams says he is surprised to find so many organizations dragging their feet on upgrading. Failing to do so, he says, could create unnecessary security risks as hackers continue to look for vulnerabilities, knowing that software updates will no longer be available from Microsoft.

It is unclear to what degree hackers will continue to attack SP2, as opposed to moving on to SP3 or the newer Windows 7, "But clearly some will try," says Doug Johnson, vice president of risk management policy at the American Bankers Association. Because Microsoft will not be supporting fixes, organizations will be left to their own devices and the efforts of third parties, which is clearly less efficient and potentially leaves those entities more vulnerable to exploitation, he says.

Organizations still running XP SP2 are advised in the short term to move to SP3. "We are being told it is an incremental change from SP2, rather than a giant leap," Johnson says.

'Get With the Program'

The advice from IT and security expert Charisse Castaganoli for XP SP2 users who are "stuck" on that release is not to worry so much about the operating system, but instead focus on what are the real risks of continuing to use Windows XP. Castaganoli, an adjunct professor of law at the John Marshall Law School, is a recent member of the U.S. Department of Commerce's Information Systems Security and Privacy Advisory Board.

She advises organizations should probably "up their game" from traditional vulnerability assessment to a more powerful tool such as an exploit penetration testing solution. Additionally, organizations should consider using a threat management tool. "Threats are moving up the network stack to the application layer," Castaganoli says. "I would spend more time looking at how to protect the application and mitigate OS risk using encryption and application layer security access control."

She says IT departments should keep in mind that a forced or "rushed" migration off Windows XP SP2 could introduce more risk than trying to tighten up the security on the existing architecture.

The foot-dragging in moving away from the soon-to-be-retired operating system has SANS' Ullrich puzzled. "Windows XP SP3 is a pretty straight forward and free upgrade," he says. "I don't really see why people do not move ahead with a free upgrade."

Ullrich urges those who haven't moved over to XP SP3 to take action. "Get with the program; move to SP3 before it is too late." He points out there have been only a few instances where Microsoft released security patches after support ended. "But in those cases, it was essentially a courtesy in case of high profile vulnerabilities," he says. Organizations that faced multiple headaches because of compatibility issues during upgrades to Vista won't have the same compatibility issues with Window 7, which is being touted by Microsoft as having increased security over XP and Vista.

ABA's Johnson says that the move to Windows 7, the newest Microsoft operating system, will take longer for larger organizations. "For large banks (and other large organizations), any software upgrade requires substantial planning and therefore is a significant undertaking," Johnson says. "In the long run, movement toward Windows 7 platforms clearly is on the horizon, as XP is shut down completely."